PwnedPiper: Armis Identifies Nine Vulnerabilities in Hospital Infrastructure

Swisslog Healthcare, the providers of the leading solution for pneumatic tube systems (PTS) in North America, released a statement yesterday regarding nine vulnerabilities in their Translogic PTS system identified by Armis. Swisslog Healthcare’s Translogic PTS system is used in over 80% of hospitals in North America and over 3000 hospitals worldwide. PTS systems play a crucial role in patient care, and are utilized nearly 100% of the time.

The potential vulnerabilities were identified as part of an assessment by Armis, an internationally recognized information security company, and investigated both in the current and prior releases of TransLogic firmware.

Jennie McQuade, Chief Privacy Officer for Swisslog Healthcare, notes that vulnerabilities only exist when a combination of variables exists. The potential for pneumatic tube stations (where the firmware is deployed) to be compromised is dependent on a bad actor who has access to the facility’s information technology network and who could cause additional damage by leveraging these exploits.

Swisslog Healthcare have researched, reviewed, and confirmed potential vulnerabilities which could impact healthcare facilities currently using hardware containing the HMI3 panel when connected via Ethernet. A total of eight vulnerabilities have been detected. All but one of these were subsequently removed in a software release containing updated firmware. Mitigations for the remaining vulnerability were made. Details on mitigations are documented in the company’s Network Communications and Deployment Guide which is readily available to customers.

Steps Taken

Partnering closely with Armis, the following steps were taken following identification of the vulnerabilities:

  1. Confirmed the identity of potentially affected files and versions.
  2. Evaluated the firmware to assess the vulnerabilities and potential implications those vulnerabilities represent.
  3. Provided Armis with versions of the current firmware and the subsequent release (not yet publicly available) to evaluate for the existence of vulnerabilities.
  4. Established a lab environment to recreate the vulnerability.
  5. Replicated vulnerabilities in the test lab environment.
  6. Developed solutions to address the identified vulnerabilities.
  7. Initiated customer contact to offer mitigation strategies and support for onsite IT security teams.

Because Swisslog Healthcare holds security as an organizational priority, our actionable security measures have prepared us to address these types of issues. Significant hardware and software programmatic actions include:

  • Continuous analysis of software code
  • Ongoing patching and testing of operating system compatibility
  • Regular evaluation product line enhancements
  • Continual collaboration with reputable third-party researchers
  • Regular external audits of product, service, and security practices

Click here for the full statement from Swisslog Healthcare.

We headed to Armis’s site to find out what exactly PwnedPiper is and what hospitals can do about it. The following is a research paper from Armis that outlines PwnedPiper and how they can help.

What was discovered?

Dubbed PwnedPiper, the vulnerabilities allow for complete take over of the Translogic Nexus Control Panel, which powers all current models of Translogic PTS stations. Older IP-connected Translogic stations are also impacted, but are no longer supported by Swisslog.

This blog will provide a high-level overview of this research and its implications. Additional material is available here:

Why is this important?

The Swisslog PTS system is vital to hospital operations as it automates logistics and the transport of materials throughout the hospital via a network of pneumatic tubes. The system is designed so that hospitals can provide better patient care with automated material transport that includes highly sensitive materials such as lab specimens, blood products, pathology lab tests, medications, and more. Prior to the use of PTS systems, hospitals were required to transfer the various items manually. Today due to their wide adoption, these systems are vital for proper workflow of hospital operations.

The process:

Armis reported the vulnerabilities to Swisslog on May 1, 2021, and has worked with them ever since to fully understand the impact of the vulnerabilities, develop and test a patch that would remediate them, and develop mitigation steps until a patch is installed.

Swisslog Healthcare has released a security advisory today, that is available here.

See our proposed mitigation steps and how the Armis platform detects and mitigates these vulnerabilities below.

How could PwnedPiper be used?

These vulnerabilities can enable an unauthenticated attacker to take over Translogic PTS stations and essentially gain complete control over the PTS network of a target hospital. This type of control could enable sophisticated and worrisome ransomware attacks, as well as allow attackers to leak sensitive hospital information.

The Translogic PTS system is an advanced system that integrates with other hospital systems, which may allow the information shared between these systems to be leaked or manipulated by an attacker if the Translogic PTS network were to be compromised.

Here are examples of such advanced features, and the risks they entail:

  1. The PTS system includes the WhoTube integration with a hospital’s access control system. This integration allows authentication of staff members using their RFID cards, limiting access to PTS stations, and allowing the use of Secure Transfers, in which carriers are released to a certain individual only when they present their RFID card and/or password. While these types of advanced features enhance the physical security of the system, they also expose staff records and their RFID credentials to potential attackers, if the PTS system were to be compromised.
  2. The PTS system supports variable speed transactions which, on the one hand allow for express shipment of urgent items, while on the other, enable the slow transfer of sensitive items, such as blood products that may be harmed if jolted too quickly within the tubes. If an attacker were to compromise the PTS system, he may alter the system’s speed restrictions, which can in turn damage such sensitive items.
  3. The PTS system offers an alert messaging solution that may integrate with the hospital’s communication solutions, enabling the notification and tracking of delivered carriers, and alerting the PTS system’s maintenance crew to any faults in the system. Abusing these communications can interfere with the hospital’s workflows.

Lastly, compromising the PTS network can allow an attacker to control the carrier’s paths by acting as a man-in-the-middle, and altering the requested destinations of the carriers when a transaction request is sent to the PTS network’s central server. Combining one or more of the described primitives above can allow for a devastating ransomware attack to be unleashed. The attacker can either re-route carriers, derailing the operations of the hospital, or halt the system altogether. The most severe of the discovered vulnerabilities (CVE-2021-37160) can allow an attacker to maintain persistence on compromised PTS stations via their unsecure firmware upgrade procedure, allowing him to hold the stations hostage until a ransom is paid.

While such an attack may ultimately be remediated with manual firmware upgrades of all compromised stations, such a process will take considerable time and effort. Hospitals don’t necessarily have any contingency in place to handle a prolonged shutdown of the PTS system, which ultimately may translate to harm to patient care.

How Armis can Help

Today’s healthcare delivery organizations operate on more than traditional IT systems and connected medical devices. There also exists secondary technology and machines that serve as the infrastructure which facilitates the continuous delivery of patient care. In addition to the Translogic PTS system, hospitals also rely upon elevator control systems in the context of patient movement, temperature control sensors for vaccine storage, gas control systems for suction and oxygen delivery and more. As these critical infrastructure elements connect to the network, they also become targets for exploitation.

Current security measures, including traditional endpoint protection and network security solutions are simply not designed to protect this infrastructure or identify these types of attacks. The Armis platform has been purpose-built to identify vulnerabilities like PwnedPiper and will help in the following ways:

  • Armis can search for and identify the various components of the Swisslog system, providing complete visibility to the PTS elements.
pts_devices

Identifying Swisslog PTS Components

  • The discovered vulnerabilities will appear as CVEs in the Armis console and all the affected devices will be matched with the CVEs.
pts_device1

Matching CVEs to Discovered Swisslog Devices

  • Policies that detect exploit attempts of the CVEs can be created, alerting security personnel so that remediation steps can be taken.
pts_policies

Armis strongly recommends the use of mitigation steps outlined by Swisslog in their security advisory which can be accessed here.

The full article by Armis with a technical overview and remediation steps can be accessed here .

As always, if you have any questions about your security or how Secure Sense can help, please don’t hesitate to reach out to us at sales@securesense.ca or 866-999-7506. 


Secure Sense is the security provider that cares. We are a team of experts with a passion for IT and protecting your organization is what motivates us daily. If you have questions or want to learn more about how we can improve your organization’s security, our services or just want to chat security please give us a shout.